b'    DEPARTMENT OF HOMELAND SECURITY\n\n            Office of Inspector General\n    <\n\n\n\n\n                     Letter Report: \n\n\n            Review of DHS\xe2\x80\x99 Financial Systems \n\n                 Consolidation Project \n\n\n\n\n\nOIG-08-47                               May 2008\n\x0c                                                                             Office of Inspector General\n\n                                                                             U.S. Department of Homeland Security\n                                                                             Washington, DC 20528\n\n\n\n\n                                          May 9, 2008\n\n\nMEMORANDUM FOR:              David Norquist\n                             Chief Financial Officer\n\n\nFROM:                        Richard L. Skinner\n                             Inspector General\n\nSUBJECT:                     Review of DHS\xe2\x80\x99 Financial Systems Consolidation Project, OIG-08-47\n\nWe evaluated the Department of Homeland Security\xe2\x80\x99s (DHS) financial systems consolidation\nstrategy. Specifically, our objective was to determine the progress DHS is making in developing\nand implementing its financial systems consolidation plan.\n\nThe Resource Management Transformation Office (RMTO) has developed a strategy to\nconsolidate key component financial systems to either the Systems Applications and Products\n(SAP) or Oracle Financial platforms. In addition, the RMTO has developed project plans and\nother supporting documentation for this financial systems consolidation project. These items\ninclude a migration timeline, a draft concept of operations, a systems development lifecycle\ndocument, and an internal alternatives analysis.\n\nGenerally, the RMTO\xe2\x80\x99s evaluation provided adequate support for its decision to use two financial\nsystems solutions. However, the RMTO has not conducted a complete analysis of possible service\nproviders outside of DHS as required by Office of Management and Budget (OMB) guidance, and\nDHS does not have a documented waiver from OMB indicating that they do not have to comply\nwith this guidance. Additionally, during the fiscal year 2007 financial statement audit, the external\nauditors outlined problems with the change control process in the Oracle platform. These change\ncontrol problems could cause unsupported adjustments to not only the United States Coast Guard\n(Coast Guard) and Transportation Security Administration (TSA) financial data, but also to the\ndata of other DHS components that will be migrated to the new financial system. Finally, the\nexternal auditors said that these change control issues could potentially lead to a scope limitation\nfor the DHS financial statement audit.\n\nOur report contains 3 recommendations aimed at improving the overall effectiveness of DHS\xe2\x80\x99\nstrategy to consolidate financial systems within the department. These recommendations advise\nthat the RMTO conduct a full analysis of possible service providers in the federal government,\nincluding the OMB centers of excellence, to determine if any of these systems can meet DHS\xe2\x80\x99\nfinancial management needs. In addition, the RMTO needs to improve its change control\n                   Letter Report: Review of DHS\xe2\x80\x99 Financial Systems Consolidation Project\n\n                                                    1\n\x0c    processes by identifying and correcting scripts being used by the Coast Guard and TSA. Your\n    office concurred with all recommendations. Within 90 days of the date of this memorandum,\n    please provide our office with additional information about the activities underway or planned by\n    the RMTO to address our recommendations, including responsible parties, key milestones, and\n    other supporting information.\n\n    Consistent with our responsibility under the Inspector General Act, we are providing copies of our\n    report to appropriate congressional committees with oversight and appropriation responsibility\n    over the DHS. In addition, we will post a copy of the report on our website for public\n    dissemination.\n\n    Should you have any questions, please call me, or your staff may contact Frank Deffer, Assistant\n    Inspector General for IT Audits, at (202) 254-4100.\n\n    Financial Systems Consolidation Strategy\n\n    The DHS Chief Financial Officer (CFO) has developed a strategy to consolidate the department\xe2\x80\x99s\n    financial systems down to two platforms\xe2\x80\x94SAP and Oracle Financials. This effort is being called\n    the Transformation and Systems Consolidation (TASC) program. According to the RMTO, by\n    deciding to consolidate to these two financial systems, the CFO chose the decision of least risk,\n    which is to move to an alternative already in place and one with which some of the components are\n    already familiar. SAP and Oracle Financials are also two of the most widely used financial\n    systems in the private and public sectors. In addition, these two financial platforms have been\n    approved by the DHS Chief Information Officer (CIO) and meet the requirements of the\n    department\xe2\x80\x99s enterprise architecture. This is outlined in Homeland Security Management\n    Directive number 0007.1, which states that each IT investment must align with the overall DHS\n    enterprise architecture. 1 By selecting a system that meets the CIO\xe2\x80\x99s guidelines, approval by the\n    CIO\xe2\x80\x99s enterprise architecture committee is not required.\n\n    By consolidating down to these two platforms, the use of other department-wide financial systems\n    will be minimized by the year 2011\xe2\x80\x9442% of components transitioned by 2009 and 96% of\n    components transitioned by 2011. Figure 1 represents the consolidation of DHS budget authority\n    from eight financial systems to four by 2011. The major financial systems included in Figure 1 are\n    as follows: Integrated Financial Management Information System (IFMIS), Oracle Federal\n    Financial system (OFF), SAP, Federal Financial Management System (FFMS), Momentum, and\n    the Department of Justice (DOJ). Eventually, the department will move from the two solutions to\n    one final platform after the year 2011.\n\n\n\n\n1\n Homeland Security Management Directives System 0007.1, Information Technology Integration and\nManagement, March 15, 2007.\n                       Letter Report: Review of DHS\xe2\x80\x99 Financial Systems Consolidation Project\n\n                                                        2\n\x0c           Figure 1: DHS Budget Authority\n    The migration plan created by the RMTO and approved by Congress as part of the fiscal years\n    2007-2008 expenditure plan is to incorporate the smaller components onto the Oracle platform and\n    develop a best practices methodology to be used for the migration of larger components in the later\n    years of the program. Once the Oracle baseline is in place, the solutions architect2 will re-host the\n    TSA and the Domestic Nuclear Detection Office to the DHS datacenter location in Stennis,\n    Mississippi. 3 Following this move, the solutions architect will migrate the Office of Health\n    Affairs and the Science and Technology directorates to the new baseline. Shown in Table 1 are the\n    components and their current financial management systems. By the end of FY 2011, most of\n    these components, with the exception of the Federal Law Enforcement Training Center and the\n    U.S. Secret Service, will be moving to one of the two platforms.\n\n                   DHS Component                                     Current Financial System\n     Federal Law Enforcement Training Center                  Momentum\n     U.S. Customs and Border Protection                       Systems Applications and Products in\n                                                              Data Processing (SAP)\n     U.S. Coast Guard                                         Core Accounting System (Oracle-based)\n     Transportation Security Administration                   Core Accounting System (Oracle-based)\n     Domestic Nuclear Detection Office                        Core Accounting System (Oracle-based)\n     Federal Emergency Management Agency                      Integrated Financial Management\n                                                              Information System\n     U.S. Secret Service                                      Core Accounting System (Oracle-based)\n     Immigration and Customs Enforcement                      Federal Financial Management System\n     Citizenship and Immigration Service                      Federal Financial Management System\n     DHS Headquarters                                         Federal Financial Management System\n         \xe2\x80\xa2 Office of Health Affairs\n         \xe2\x80\xa2 Science and Technology Directorate\n         \xe2\x80\xa2 Office of the Chief Information Officer\n         \xe2\x80\xa2 Office of the Chief Financial Officer\n         \xe2\x80\xa2 Office of the Chief Procurement Officer\n         \xe2\x80\xa2 National Protection and Programs\n         \xe2\x80\xa2 Intelligence and Analysis\n         \xe2\x80\xa2 Operations Coordination\nTable 1 \xe2\x80\x93 DHS Components and Financial Systems\n\n2\n    The solutions architect is the company that wins the contract award for the TASC project.\n3\n Currently the U.S. Coast Guard is the service provider for both the TSA and the Domestic Nuclear Detection\nOffice.\n                       Letter Report: Review of DHS\xe2\x80\x99 Financial Systems Consolidation Project\n\n                                                        3\n\x0c    Throughout this process, the focus of the RMTO\xe2\x80\x99s work has been on the Oracle baseline. For\n    example, the request for proposals issued via the Enterprise Acquisition Gateway and Leading\n    Edge solution states that there are two approved shared baselines for the financial systems\n    consolidation; however, all of the tasks outlined in the RMTO documentation focus on the\n    activities that pertain to the Oracle baseline. In addition, RMTO officials said that the only\n    component that is considering moving to the SAP baseline is the Federal Emergency Management\n    Agency (FEMA). However, additional evaluation needs to be completed by the RMTO and the\n    solutions architect prior to the final decision. Moreover, the RMTO has created some of the\n    documentation critical to DHS\xe2\x80\x99 success in implementing an integrated financial system\xe2\x80\x94all for\n    the Oracle platform. These documents include a concept of operations, a draft program\n    management plan, a systems development lifecycle document, a risk management plan, and a\n    migration timeline. The RMTO is also currently working on a governance plan and charter, a\n    change control configuration document, and a helpdesk support document.\n\n    Evaluation of Operational Solutions Not Complete\n\n    DHS did not perform a complete analysis of all potential systems and service providers as part of\n    its process to select a financial systems solution. As a result, DHS may not have had sufficient\n    information to support its decision to exclude obtaining financial system operational and hosting\n    support from other sources.\n\n    OMB Circular A-130 directs that federal agencies must ensure that decisions to improve existing\n    information systems or develop new information systems are initiated only when no alternative\n    private sector or governmental source can efficiently meet the need.4 Further, in 2005, OMB\n    issued additional guidance on the Federal Management Line of Business Initiative.5 The Financial\n    Management Line of Business Initiative\xe2\x80\x99s overall vision is to improve the cost, quality, and\n    performance of financial management systems by leveraging shared service solutions (i.e. Centers\n    of Excellence), and implementing other government-wide reforms that foster efficiencies in federal\n    financial operations. As required by this guidance, federal agencies must have competitive options\n    available for financial systems, including consideration of shared service alternatives and existing\n    federal financial systems, when deciding on a new agency financial system. As a part of this\n    guidance, OMB discussed requirements for transparency and standardization among the Financial\n    Management Line of Business Initiative and steps federal agencies should undertake in order to\n    migrate to a center of excellence.\n\n    Contrary to OMB guidance, the RMTO did not consider potential shared service providers or any\n    other external agency as part of the alternatives analysis for the TASC program. Instead, the\n    RMTO excluded the centers of excellence from consideration, without conducting a full analysis\n    of their respective capabilities. An RMTO official said the department had obtained a verbal\n    waiver from OMB, allowing DHS to exclude the centers of excellence from consideration, and to\n    proceed with RMTO\xe2\x80\x99s strategy for consolidating systems using the Oracle solution. OMB\n    officials said that this waiver, while not documented, represents OMB\xe2\x80\x99s official position on the\n\n4\n  Office of Management and Budget Circular A-130, Management of Federal Information Resources, \n\nNovember 28, 2000-Revision. \n\n5\n  Office of Management and Budget, Update on the Financial Management Line of Business and the \n\nFinancial Systems Integration Office, Memorandum, December 16, 2005.\n\n                       Letter Report: Review of DHS\xe2\x80\x99 Financial Systems Consolidation Project\n\n                                                        4\n\x0c    matter. However, section 10.b of OMB Circular A-130 calls for written waiver requests, and\n    requires that the agency publish the request in the Federal Register.\n\n    After obtaining the waiver from OMB, the RMTO began to look internally to leverage current\n    DHS investments. In determining which internal system solution was right for DHS, the RMTO\n    conducted multiple analyses of current DHS component financial systems. The first analysis\n    outlined DHS\xe2\x80\x99 financial management vision, the current state of DHS\xe2\x80\x99 financial management\n    systems, the consolidation approach, and recommendations on the way forward.\n\n    RMTO Analysis of Alternatives\n\n    As part of this analysis, the RMTO identified four alternatives within the department as possible\n    solutions for the financial systems consolidation effort. These four alternatives discussed were to:\n    (1) build a new Department-level financial management system to supersede the component-level\n    systems, (2) consolidate one or more existing component systems, (3) conduct a comprehensive\n    upgrade to existing systems to address corrective action plan weaknesses, and (4) maintain status\n    quo. Each of these alternatives was compared with the requirements outlined by the RMTO, and\n    the analysis disclosed that of these four alternatives, the consolidation of component systems met\n    all of these requirements.\n\n    Once it was determined that the consolidation of component systems would best meet the\n    department\xe2\x80\x99s needs, the RMTO performed a second analysis to identify which internal systems\n    could best be matched with internal DHS components. In this analysis the RMTO evaluated five\n    systems: (1) FFMS\xe2\x80\x94in use by the Immigrations and Customs Enforcement agency, (2) OFF\xe2\x80\x94in\n    use by TSA, (3) SAP\xe2\x80\x94in use by the Customs and Border Protection, (4) IFMIS\xe2\x80\x94in use by FEMA\n    and (5) Momentum\xe2\x80\x94in use by the Federal Law Enforcement Training Center. DHS determined\n    that using two service providers would be the best benefit for the department because this option\n    allowed DHS to leverage current investments already in place.\n\n    Generally, the RMTO\xe2\x80\x99s internal analyses provide adequate support for its decision to use two\n    service providers in the initial stages of its financial systems consolidation strategy. However, its\n    decision to exclude potential external service providers, such as other federal departments, is not\n    supported by any documented analysis, and thus is not justified and should be revisited. A\n    complete evaluation of potential service providers can help ensure that DHS is implementing the\n    best system to support the processing of financial transactions and ultimately help DHS receive an\n    unqualified opinion on its financial statements.\n\n    Change Control Issues Exist with One of the Proposed Solutions\n\n    The RMTO does not have a change control plan in place for the TASC program. As required by\n    the DHS Sensitive Systems Policy Directive 4300A, DHS is required to prepare configuration\n    management plans for all IT systems and establish, implement, and enforce configuration\n    management controls as set forth by the configuration management plan. 6 Additionally, DHS\xe2\x80\x99\n    draft System Lifecycle Guide requires that each IT project have a configuration plan, which\n\n6\n DHS Sensitive Systems Security Policy 4300.A, version 5.5, Information Technology Security Program,\nSeptember 2007.\n                        Letter Report: Review of DHS\xe2\x80\x99 Financial Systems Consolidation Project\n\n                                                         5\n\x0c    identifies the configuration management policy, procedures, structures, and roles/responsibilities to\n    be used in executing configuration management. This plan should also assess the impact of\n    change, define the Change Control Board, and identify the processes used by the Change Control\n    Board in evaluating and approving changes to the system. Additionally, OMB Memorandum 97-\n    16, Information Technology Architectures, requires configuration management and control\n    processes as well as quality software engineering processes be implemented to maintain\n    compliance with the architecture. 7 Specifically, this memorandum requires configuration changes\n    to be tested and validated prior to acceptance for operational use across the architecture. The\n    RMTO is finalizing a governance document and change control plan that will outline the process\n    for system changes for the financial system once the Oracle baseline is moved to the DHS data\n    center in Stennis, Mississippi.\n\n    The National Institute of Standards and Technology, Special Publication 800-53, states that\n    configuration change control involves the systematic proposal, justification, test/evaluation,\n    review, and disposition of proposed changes. 8 The external financial statement auditors reported a\n    lack of approvals for the initiation, testing, and final approval of regular and emergency system\n    changes. The external auditors also found that the Coast Guard\xe2\x80\x99s Finance Center in Chesapeake,\n    Virginia, developed its own process to create and implement changes through the use of scripts.\n    These scripts are used to increase the functionality of the system and fix data that are not properly\n    processed in Coast Guard and TSA financial systems. Some of these scripts were developed to\n    correct current software problems that have been awaiting development through the formal change\n    control process.\n\n    The presence of these scripts indicates that controls are not properly designed and that the integrity\n    of TSA and Coast Guard financial data can be compromised. These scripts may cause\n    unsupported adjustments to Coast Guard and TSA financial data that ultimately affect multiple\n    accounts and financial statement line items. In addition, because these scripts are unsupported,\n    there is the potential that they may not be considered when future system modifications and\n    interfaces are developed for these systems. This could lead to more transaction processing errors\n    that could result in the misstatement of Coast Guard, TSA, and DHS financial statements. The\n    external auditors have indicated that these scripts could lead to a potential scope limitation for the\n    financial statement audit.\n\n    An RMTO official said that the RMTO would look into the scripting problem with the TSA Oracle\n    Financial system. In addition, this official noted that while there will always be some scripts run\n    with any system chosen, the RMTO nonetheless needs to research the scripts that are currently run\n    to determine what procedures they perform and the effect of these procedures on TSA\xe2\x80\x99s financial\n    data.\n\n\n\n\n7\n Office of Management and Budget Memorandum 97-16, Information Technology Architectures, June 18, \n\n1997. \n\n8\n National Institute of Standards and Technology, Special Publications 800-53, revision 2 (Public \n\nDraft), Recommended Security Controls for Federal Information Systems, November 2007. \n\n                        Letter Report: Review of DHS\xe2\x80\x99 Financial Systems Consolidation Project\n\n                                                         6\n\x0cImpact of April 15, 2008, Court Decision\n\nAfter we issued our draft report, the United States Court of Federal Claims issued a ruling in the\nbid protest case of Savantage Financial Services, Inc. vs. United States. In its decision, the court\nruled that DHS\xe2\x80\x99 decision to use Oracle and SAP financial software systems via \xe2\x80\x9cBrand Name\nJustification\xe2\x80\x9d document is an improper sole source procurement in violation of the Competition in\nContracting Act. The court rejected DHS\xe2\x80\x99 argument that its solicitation was not a procurement,\nbut a task order under an existing contract. Further, the court determined that the DHS\xe2\x80\x99 sole\nsource procurement decision was arbitrary and capricious: there did not appear to be a reasonable\nbasis for DHS\xe2\x80\x99 decision, the contracting officer abused her discretion, and the decision violated\napplicable law. The court enjoined DHS from proceeding with the solicitation until DHS conducts\na competitive procurement in accordance with the law to select financial management systems\napplication software.\n\nIn response to this decision, RMTO is revisiting its financial systems consolidation strategy.\n\nRecommendations\nWe recommend that the DHS Chief Financial Officer direct the RMTO to:\n   \xe2\x80\xa2\t Recommendation #1: Conduct a full evaluation of financial service providers available in\n       the federal government, including OMB\xe2\x80\x99s shared service providers, to determine if any of\n       these systems can meet DHS\xe2\x80\x99 financial management needs more efficiently.\n   \xe2\x80\xa2\t Recommendation #2: Identify all scripts being used at the Coast Guard and TSA and\n       analyze them to determine their effect on financial transactions, as well as their effect on\n       DHS\xe2\x80\x99 financial statements.\n   \xe2\x80\xa2\t Recommendation #3: Correct the scripts before migrating any DHS components to the\n       new TSA based DHS financial system.\n\nManagement Comments and OIG Analysis\nWe obtained written comments on a draft of this report from the DHS CFO. We have included a\ncopy of the comments in their entirety at Appendix A.\n\nIn the comments, the CFO concurred with all of the findings and recommendations of our report.\nIn addition to providing formal responses to the three recommendations, the CFO and the RMTO\nprovided us with technical clarification on some statements in the report.\n\nIn response, the CFO concurred with Recommendation #1; however, the response does not\nadequately address our recommendation. The CFO\xe2\x80\x99s response states that the RMTO will look at\nexternal providers who can help DHS implement the current TSA baseline approach. This is not\nthe intent of our recommendation. The TSA baseline was selected by DHS without an analysis of\nfinancial systems external to DHS. The intent of our recommendation is for the CFO to review\nexternal agency financial systems to see if these systems are more efficient and cost effective to\nDHS before moving forward with the TSA baseline approach.\n\nRecommendation # 1 is considered unresolved and open.\n                   Letter Report: Review of DHS\xe2\x80\x99 Financial Systems Consolidation Project\n\n                                                    7\n\x0cIn response to recommendation # 2, the CFO stated that the RMTO has identified the scripts that\naffect financial transactions currently in use at the Coast Guard and the TSA. The CFO and\nRMTO have identified a total of 60 scripts, and in 20 cases the underlying issues have been\ncorrected and the scripts have been eliminated. Ten additional scripts have been corrected and are\nundergoing government acceptance testing, and 30 remaining scripts still need to be fixed. Once\nthe RMTO has successfully contracted a Solutions Architect, the RMTO, along with the contractor\nwill identify the impact area of each script, its materiality, and assign it a priority.\n\nIn response to recommendation #3, the CFO outlined various efforts to correct scripts before\nmigrating any DHS components to the new TSA based financial system. The CFO and RMTO\nwill ensure that scripts are eliminated before any components go to the new system. Project plans\nwill be available to oversee and monitor corrective action activities.\n\nRecommendations #2 and #3 are considered to be resolved but open pending verification of\nplanned action.\n\n******************\n\nThis review is based on analysis of applicable documentation and interviews with personnel and\nofficials of relevant agencies and institutions. We conducted our audit from August 2007 to\nJanuary 2008 under the authority of the Inspector General Act of 1978, as amended, and according\nto generally accepted government audit standards.\n\n\n\n\n                   Letter Report: Review of DHS\xe2\x80\x99 Financial Systems Consolidation Project\n\n                                                    8\n\x0cAppendix A: Management Response\n\n\n\n\n                 Letter Report: Review of DHS\xe2\x80\x99 Financial Systems Consolidation Project\n\n                                                  9\n\n\x0cAppendix A: Management Response\n\n\n\n\n                 Letter Report: Review of DHS\xe2\x80\x99 Financial Systems Consolidation Project\n\n                                                  10\n\n\x0cAppendix A: Management Response\n\n\n\n\n                 Letter Report: Review of DHS\xe2\x80\x99 Financial Systems Consolidation Project\n\n                                                  11\n\n\x0cAppendix A: Management Response\n\n\n\n\n                 Letter Report: Review of DHS\xe2\x80\x99 Financial Systems Consolidation Project\n\n                                                  12\n\n\x0cAppendix B: Major Contributors\n\n\n\n                   Frank Deffer, Assistant Inspector General, Department of Homeland Security,\n                   Information Technology Audits\n\n                   Sharon Huiswoud, Director, Department of Homeland Security, Information\n                   Technology Audits\n\n                   John McCoy, Director, Department of Homeland Security, Financial\n                   Management Audits\n\n                   Meghan Sanborn, Senior Program Analyst, Department of Homeland\n                   Security, Information Technology Audits\n\n                   Anthony Nicholson, Senior IT Auditor, Department of Homeland Security,\n                   Information Technology Audits\n\n                   Matthew Worner, Referencer, Department of Homeland Security, Information\n                   Technology Audits\n\n\n\n\n                  Letter Report: Review of DHS\xe2\x80\x99 Financial Systems Consolidation Project\n\n                                                   13\n\x0cAppendix C: Distribution List\n\n\n                    Department of Homeland Security\n\n                    Secretary\n                    Deputy Secretary\n                    Chief of Staff\n                    Deputy Chief of Staff\n                    General Counsel\n                    Executive Secretary\n                    Director, GAO/OIG Liaison Office\n                    Assistant Secretary for Policy\n                    Assistant Secretary for Legislative Affairs\n                    Assistant Secretary for Public Affairs\n                    Under Secretary for Management\n                    Director, GAO/OIG Liaison\n                    Chief Information Officer\n\n                    Office of Management and Budget\n\n                    Chief, Homeland Security Branch\n                    DHS OIG Budget Examiner\n\n                    Congress\n\n                    Congressional Oversight and Appropriations Committees, as appropriate\n\n\n\n\n                   Letter Report: Review of DHS\xe2\x80\x99 Financial Systems Consolidation Project\n\n                                                    14\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General (OIG) at\n(202) 254-4199, fax your request to (202) 254-4305, or visit the OIG web site at\nwww.dhs.gov/oig.\n\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to department programs or operations:\n\n    \xe2\x80\xa2    Call our Hotline at 1-800-323-8603;\n    \xe2\x80\xa2    Fax the complaint directly to us at (202) 254-4292;\n    \xe2\x80\xa2    Email us at DHSOIGHOTLINE@dhs.gov; or\n    \xe2\x80\xa2\t   Write to us at:\n           DHS Office of Inspector General/MAIL STOP 2600, Attention:\n           Office of Investigations - Hotline, 245 Murray Drive, SW, Building 410,\n           Washington, DC 20528,\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'